fix(miniprogram): 小程序审计修复 — 安全加固+功能链路+输入验证
安全修复: - H1: Token 刷新竞态条件 → Singleton Promise 模式防止并发刷新 - H4: 移除 store 中的 token 明文状态,统一走 secure storage - H5: 登录/绑定手机号添加 loading 防重复点击保护 - H6: Analytics 改用 request.ts 统一请求层,不再绕过认证 - M1: logout 清理所有残留数据(openid/tenant_id/analytics_queue) - M2/M7: 敏感数据(user/openid/tenant_id)统一走加密存储 - M3: 移除开发日志中的请求体打印 - M4: secure-storage 解密失败返回 null 而非空串 功能修复: - F1: 今日体征概览 API 支持 patient_id 查询参数(后端+前端) - F2: 积分商城对无患者档案用户展示引导 UI - M6: daily-monitoring 添加 Zod 数值范围验证 清理: - L4: 移除 devLogin 开发辅助函数
This commit is contained in:
iven
@@ -1,11 +1,17 @@
|
||||
import { useState } from 'react';
|
||||
import { View, Text, Input, Picker } from '@tarojs/components';
|
||||
import Taro, { useDidShow } from '@tarojs/taro';
|
||||
import { z } from 'zod';
|
||||
import { createDailyMonitoring } from '@/services/health';
|
||||
import { useAuthStore } from '@/stores/auth';
|
||||
import { trackEvent } from '@/services/analytics';
|
||||
import './index.scss';
|
||||
|
||||
const bpSchema = z.number().min(30, '血压值不能低于30').max(300, '血压值不能高于300').optional();
|
||||
const weightSchema = z.number().min(1, '体重不能低于1kg').max(500, '体重不能高于500kg').optional();
|
||||
const bloodSugarSchema = z.number().min(0.1, '血糖值不能低于0.1').max(50, '血糖值不能高于50').optional();
|
||||
const volumeSchema = z.number().min(0, '数值不能为负').max(10000, '数值超出合理范围').optional();
|
||||
|
||||
function formatDate(date: Date): string {
|
||||
const y = date.getFullYear();
|
||||
const m = String(date.getMonth() + 1).padStart(2, '0');
|
||||
@@ -81,6 +87,40 @@ export default function DailyMonitoring() {
|
||||
return;
|
||||
}
|
||||
|
||||
// Zod 验证数值范围
|
||||
const parseNum = (v: string) => v ? parseFloat(v) : undefined;
|
||||
const fields = {
|
||||
morningSystolic: parseNum(morningSystolic),
|
||||
morningDiastolic: parseNum(morningDiastolic),
|
||||
eveningSystolic: parseNum(eveningSystolic),
|
||||
eveningDiastolic: parseNum(eveningDiastolic),
|
||||
weight: parseNum(weight),
|
||||
bloodSugar: parseNum(bloodSugar),
|
||||
fluidIntake: parseNum(fluidIntake),
|
||||
urineOutput: parseNum(urineOutput),
|
||||
};
|
||||
|
||||
const validations: Array<[z.ZodTypeAny, number | undefined, string]> = [
|
||||
[bpSchema, fields.morningSystolic, '晨起收缩压'],
|
||||
[bpSchema, fields.morningDiastolic, '晨起舒张压'],
|
||||
[bpSchema, fields.eveningSystolic, '晚间收缩压'],
|
||||
[bpSchema, fields.eveningDiastolic, '晚间舒张压'],
|
||||
[weightSchema, fields.weight, '体重'],
|
||||
[bloodSugarSchema, fields.bloodSugar, '血糖'],
|
||||
[volumeSchema, fields.fluidIntake, '饮水量'],
|
||||
[volumeSchema, fields.urineOutput, '尿量'],
|
||||
];
|
||||
|
||||
for (const [schema, value, label] of validations) {
|
||||
if (value !== undefined) {
|
||||
const result = schema.safeParse(value);
|
||||
if (!result.success) {
|
||||
Taro.showToast({ title: `${label}: ${result.error.errors[0].message}`, icon: 'none' });
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
setSubmitting(true);
|
||||
try {
|
||||
await createDailyMonitoring({
|
||||
|
||||
@@ -8,6 +8,7 @@ import {
|
||||
listProducts,
|
||||
} from '../../services/points';
|
||||
import type { PointsAccount, PointsProduct, CheckinStatus } from '../../services/points';
|
||||
import { useAuthStore } from '../../stores/auth';
|
||||
import EmptyState from '../../components/EmptyState';
|
||||
import Loading from '../../components/Loading';
|
||||
import './index.scss';
|
||||
@@ -26,6 +27,7 @@ const TYPE_COLORS: Record<string, string> = {
|
||||
};
|
||||
|
||||
export default function Mall() {
|
||||
const { currentPatient } = useAuthStore();
|
||||
const [account, setAccount] = useState<PointsAccount | null>(null);
|
||||
const [checkinStatus, setCheckinStatus] = useState<CheckinStatus | null>(null);
|
||||
const [products, setProducts] = useState<PointsProduct[]>([]);
|
||||
@@ -34,9 +36,15 @@ export default function Mall() {
|
||||
const [total, setTotal] = useState(0);
|
||||
const [loading, setLoading] = useState(false);
|
||||
const [checkinLoading, setCheckinLoading] = useState(false);
|
||||
const [noProfile, setNoProfile] = useState(false);
|
||||
const loadingRef = useRef(false);
|
||||
|
||||
const fetchAccountAndCheckin = useCallback(async () => {
|
||||
if (!currentPatient) {
|
||||
setNoProfile(true);
|
||||
return;
|
||||
}
|
||||
setNoProfile(false);
|
||||
try {
|
||||
const [acct, status] = await Promise.all([
|
||||
getAccount(),
|
||||
@@ -45,9 +53,9 @@ export default function Mall() {
|
||||
setAccount(acct);
|
||||
setCheckinStatus(status);
|
||||
} catch {
|
||||
// 账户可能尚未创建,静默处理
|
||||
// 账户可能尚未创建
|
||||
}
|
||||
}, []);
|
||||
}, [currentPatient]);
|
||||
|
||||
const fetchProducts = useCallback(
|
||||
async (pageNum: number, type: string, isRefresh = false) => {
|
||||
@@ -144,6 +152,21 @@ export default function Mall() {
|
||||
|
||||
return (
|
||||
<View className='mall-page'>
|
||||
{/* 未关联患者档案时显示引导 */}
|
||||
{noProfile && (
|
||||
<View className='mall-page'>
|
||||
<EmptyState
|
||||
icon='👤'
|
||||
text='请先完善个人档案'
|
||||
hint='建档后即可使用积分商城、签到等功能'
|
||||
actionText='去建档'
|
||||
onAction={() => Taro.navigateTo({ url: '/pages/profile/family-add/index' })}
|
||||
/>
|
||||
</View>
|
||||
)}
|
||||
|
||||
{!noProfile && (
|
||||
<>
|
||||
{/* 积分余额卡片 */}
|
||||
<View className='mall-header'>
|
||||
<View className='points-card'>
|
||||
@@ -239,6 +262,8 @@ export default function Mall() {
|
||||
)}
|
||||
</View>
|
||||
)}
|
||||
</>
|
||||
)}
|
||||
</View>
|
||||
);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user